[pkg-cryptsetup-devel] Bug#1065073: cryptsetup: Make the information about changes of default cypher and hash in 2.7.0 more visible

Guilhem Moulin guilhem at debian.org
Thu Feb 29 12:20:57 GMT 2024 

Control: reassign -1 cryptsetup-bin

Hi,

On Thu, 29 Feb 2024 at 11:57:52 +0000, Jurij Smakov wrote:
> While this change is mentioned in the upstream release notes, I could not
> find any mention of it in the Debian's changelog or NEWS file.

The (upstream) change is in the cryptsetup-bin binary package not cryptsetup.
Its NEWS file reads:

    cryptsetup (2:2.7.0~rc0-1) experimental; urgency=medium

      Default cipher and password hashing for plain mode have respectively
      been changed to aes-xts-plain64 and sha256 (from aes-cbc-essiv:sha256
      resp. ripemd160).

      The new values matches what is used for LUKS, but the change does NOT
      affect LUKS volumes.

      This is a backward incompatible change for plain mode when relying on
      the defaults, which (for plain mode only) is strongly advised against.
      For many releases the Debian wrappers found in the ‘cryptsetup’ binary
      package have spewed a loud warning for plain devices from crypttab(5)
      where ‘cipher=’ or ‘hash=’ are not explicitly specified.  The
      cryptsetup(8) executable now issue such a warning as well.

     -- Guilhem Moulin <guilhem at debian.org>  Wed, 29 Nov 2023 17:19:10 +0100

Also the source package has the following changelog entry:

    cryptsetup (2:2.7.0~rc0-1) experimental; urgency=medium

      * New upstream release candidate 2.7.0:
        […]
        + plain mode: Set default cipher to aes-xts-plain64 and password hashing
          to sha256.  This is a backward incompatible change for plain mode when
          relying on the defaults.  It doesn't affect LUKS volumes.  Defaults for
          plain mode should not be relied upon anyway; for many releases the
          Debian wrappers found in the ‘cryptsetup’ binary package spew a loud
          warning when ‘cipher=’ or ‘hash=’ are not explicitly specified in the
          crypttab(5) options of plain devices.  The cryptsetup(8) executable now
          issue such a warning as well.
        […]

     -- Guilhem Moulin <guilhem at debian.org>  Wed, 29 Nov 2023 17:19:10 +0100

-- 
Guilhem.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-cryptsetup-devel/attachments/20240229/9ab97086/attachment.sig>

More information about the pkg-cryptsetup-devel mailing list